Secrets Management Commands

The cre secrets commands manage secrets stored in the Vault DON (Decentralized Oracle Network) for deployed workflows. These commands allow you to create, update, delete, and list secrets that your workflows can access at runtime.

Namespaces

Secrets are organized into namespaces, which act as logical groupings (e.g., "main", "staging", "production"). All secrets are stored in the "main" namespace by default. Currently, create, update, and delete commands only support the default namespace. Custom namespace support may be added in future CLI versions.

cre secrets create

Creates new secrets in the Vault DON from a YAML file.

Usage

cre secrets create [SECRETS_FILE_PATH] [flags]

Arguments

• SECRETS_FILE_PATH — (Required) Path to a YAML file containing the secrets to create

Flags

Input file format

YAML file with secretsNames structure:

secretsNames:
  API_KEY:
    - API_KEY_VALUE

  DATABASE_URL:
    - DATABASE_URL_VALUE

• secretsNames — Top-level key containing all secrets
• Each secret key (e.g., API_KEY) maps to an array containing an environment variable name
• Secret values are read from environment variables or .env file

Examples

• Create secrets from YAML file

  cre secrets create my-secrets.yaml --target production-settings
  

• Create secrets with custom timeout

  cre secrets create my-secrets.yaml --timeout 1h
  

• Create secrets for multi-sig wallets

  cre secrets create my-secrets.yaml --unsigned
  

cre secrets update

Updates existing secrets in the Vault DON from a YAML file.

Usage

cre secrets update [SECRETS_FILE_PATH] [flags]

Arguments

• SECRETS_FILE_PATH — (Required) Path to a YAML file containing the secrets to update

Flags

Input file format

Same YAML format as create.

Examples

• Update secrets

  cre secrets update my-secrets.yaml --target production-settings
  

• Update secrets with custom timeout

  cre secrets update my-secrets.yaml --timeout 6h
  

cre secrets delete

Deletes secrets from the Vault DON based on a YAML file.

Usage

cre secrets delete [SECRETS_FILE_PATH] [flags]

Arguments

• SECRETS_FILE_PATH — (Required) Path to a YAML file containing the secrets to delete

Flags

Input file format

YAML file with a simple list of secret identifiers to delete:

secretsNames:
  - API_KEY
  - OLD_SECRET

Example

cre secrets delete secrets-to-delete.yaml --target production-settings

cre secrets list

Lists all secret identifiers for your owner address in a specific namespace.

Usage

cre secrets list [flags]

Flags

Example

• List secrets in default namespace

  cre secrets list --target production-settings
  

• List secrets in specific namespace

  cre secrets list --namespace production
  

Output

Returns secret identifiers (not values) for the specified namespace:

Secret identifiers in namespace 'main':
  - API_KEY
  - DATABASE_URL
  - WEBHOOK_SECRET

Using with multi-sig wallets

All commands support the --unsigned flag for multi-sig operations:

cre secrets create my-secrets.yaml --unsigned

When --unsigned is used:

1. CLI generates raw transaction data instead of broadcasting
2. Transaction payload is returned for submission through your multi-sig interface
3. After multi-sig confirmation, the secrets operation proceeds

For details, see Using Multi-sig Wallets.

Learn more

• Managing Secrets — Overview and decision tree for secrets management
• Using Secrets in Simulation — For local development
• Using Secrets with Deployed Workflows — Complete guide with examples
• Managing Secrets with 1Password — Best practice for secure management
• Using Multi-sig Wallets — Multi-sig configuration